Huang Fei All NT下获得RING0的技术(三) 27 Aug 98 16:22:22 NT下如何取到Ring0级执行权(3) 黄飞 98/8 (注:引用本文请先征得作者同意,谢谢!) =============================================== 续(2) ... #define IOCTL_CALLGATE_RELEASE CTL_CODE( FILE_DEVICE_CALLGATE, \ CALLGATE_IOCTL_INDEX+1, \ METHOD_BUFFERED, \ FILE_ANY_ACCESS ) #define STR_DEVICENAME TEXT("callgate") #define STR_COMPDEVNAME TEXT("\\\\.\\callgate") #define STR_DRVEXEPATH TEXT("c:\\test\\cgatedrv.sys") VOID CallDriver( HANDLE hDevice ); /* Declare the function present in RING0.ASM */ void func(int *cr0, int *cr2, int *cr3); // WinMain function is the entry of the this program int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { SERVICE_STATUS serviceStatus; SC_HANDLE schSCManager = NULL; SC_HANDLE schService = NULL; DWORD err = 0; HANDLE hDevice = NULL; schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS ); if( schSCManager == NULL ) { err = GetLastError(); MessageBox( NULL, "Error OpenSCManager()", "ERROR", MB_OK ); return 0; } schService = CreateService( schSCManager, STR_DEVICENAME, STR_DEVICENAME, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, STR_DRVEXEPATH, NULL, NULL, NULL, NULL, NULL ); if( schService == NULL ) { err = GetLastError(); if (err == ERROR_SERVICE_EXISTS) { MessageBox( NULL, "Service already exists, remove it now!", "MESSAGE", MB_OK ); goto REMOVE_SERVICE; } CloseServiceHandle( schSCManager ); schSCManager = NULL; MessageBox( NULL, "Error CreateService()", "ERROR", MB_OK ); return 0; } CloseServiceHandle( schService ); schService = NULL; schService = OpenService( schSCManager, STR_DEVICENAME, SERVICE_ALL_ACCESS ); if (schService == NULL) { err = GetLastError(); MessageBox( NULL, "Error OpenService()", "ERROR", MB_OK ); goto REMOVE_SERVICE; } if( !StartService( schService, 0, NULL ) ) { err = GetLastError(); if (err == ERROR_SERVICE_ALREADY_RUNNING) MessageBox( NULL, "StartService() already running", "ERROR", MB_OK ); else MessageBox( NULL, "Error StartService()", "ERROR", MB_OK ); goto REMOVE_SERVICE; } hDevice = CreateFile( STR_COMPDEVNAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if( hDevice == ((HANDLE)-1) ) { MessageBox( NULL, "Can't get device handle", "ERROR", MB_OK ); } else { MessageBox( NULL, "Get device handle OK", "MESSAGE", MB_OK ); CallDriver( hDevice ); CloseHandle (hDevice); } REMOVE_SERVICE: if( schService == NULL ) { schService = OpenService( schSCManager, STR_DEVICENAME, SERVICE_ALL_ACCESS ); if (schService == NULL) { err = GetLastError(); CloseServiceHandle( schSCManager ); schSCManager = NULL; MessageBox( NULL, "Error OpenService()", "ERROR", MB_OK ); return 0; } } ControlService( schService, SERVICE_CONTROL_STOP, &serviceStatus ); if( DeleteService( schService ) ) MessageBox( NULL, "DeleteService() OK", "MESSAGE", MB_OK ); if( schService != NULL ) CloseServiceHandle( schService ); if( schSCManager != NULL ) CloseServiceHandle( schSCManager ); UNREFERENCED_PARAMETER( hInstance ); UNREFERENCED_PARAMETER( lpCmdLine ); UNREFERENCED_PARAMETER( nCmdShow ); UNREFERENCED_PARAMETER( hPrevInstance ); return 0; } VOID CallDriver( HANDLE hDevice ) { TCHAR lpIOBuffer[0x0C]; DWORD dwBytesReturned; short farcall[3]; int mcr0, mcr2, mcr3; if( hDevice == NULL ) { MessageBox( NULL, "Error device handle!", "ERROR", MB_OK ); return; } memset( lpIOBuffer, 0x00, 0x0C ); *(PDWORD)lpIOBuffer = (DWORD)func; if( DeviceIoControl( hDevice, IOCTL_CALLGATE_CREATE, (LPVOID)lpIOBuffer, 0x0C, (LPVOID)lpIOBuffer, 0x0C, &dwBytesReturned, NULL ) == TRUE ) { MessageBox( NULL, "Callgate create OK", "CGATE", MB_OK ); farcall[2] = *(short *)lpIOBuffer; _asm { /*Push the parameters required*/ lea esi, mcr3 push esi lea esi, mcr2 push esi lea esi, mcr0 push esi /*Make a far call*/ call fword ptr [farcall] } } if( DeviceIoControl( hDevice, IOCTL_CALLGATE_RELEASE, (LPVOID)lpIOBuffer, 0x0C, (LPVOID)lpIOBuffer, 0x0C, &dwBytesReturned, NULL ) == FALSE ) { MessageBox( NULL, "Free callgate IOCTL error!", "ERROR", MB_OK ); return; } } OK,删减了许多东东,总算两次贴完了代码. 下一次可能介绍一个简单的在RING0将要执行的小程序. :) ===============================================(3) Over. ... Huang Fei ... ========= --- xMail 1.00 * Origin: Shanghai Shake-River BBS.(021-59572197) (6:654/1001)